1 /* auditsc.c -- System-call auditing support 2 * Handles all system-call specific auditing features. 3 * 4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 5 * Copyright 2005 Hewlett-Packard Development Company, L.P. 6 * Copyright (C) 2005, 2006 IBM Corporation 7 * All Rights Reserved. 8 * 9 * This program is free software; you can redistribute it and/or modify 10 * it under the terms of the GNU General Public License as published by 11 * the Free Software Foundation; either version 2 of the License, or 12 * (at your option) any later version. 13 * 14 * This program is distributed in the hope that it will be useful, 15 * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 * GNU General Public License for more details. 18 * 19 * You should have received a copy of the GNU General Public License 20 * along with this program; if not, write to the Free Software 21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 22 * 23 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 24 * 25 * Many of the ideas implemented here are from Stephen C. Tweedie, 26 * especially the idea of avoiding a copy by using getname. 27 * 28 * The method for actual interception of syscall entry and exit (not in 29 * this file -- see entry.S) is based on a GPL'd patch written by 30 * okir@suse.de and Copyright 2003 SuSE Linux AG. 31 * 32 * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>, 33 * 2006. 34 * 35 * The support of additional filter rules compares (>, <, >=, <=) was 36 * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005. 37 * 38 * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional 39 * filesystem information. 40 * 41 * Subject and object context labeling support added by <danjones@us.ibm.com> 42 * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance. 43 */ 44 45 #include <linux/init.h> 46 #include <asm/types.h> 47 #include <asm/atomic.h> 48 #include <asm/types.h> 49 #include <linux/fs.h> 50 #include <linux/namei.h> 51 #include <linux/mm.h> 52 #include <linux/module.h> 53 #include <linux/mount.h> 54 #include <linux/socket.h> 55 #include <linux/mqueue.h> 56 #include <linux/audit.h> 57 #include <linux/personality.h> 58 #include <linux/time.h> 59 #include <linux/netlink.h> 60 #include <linux/compiler.h> 61 #include <asm/unistd.h> 62 #include <linux/security.h> 63 #include <linux/list.h> 64 #include <linux/tty.h> 65 #include <linux/selinux.h> 66 #include <linux/binfmts.h> 67 #include <linux/syscalls.h> 68 69 #include "audit.h" 70 71 extern struct list_head audit_filter_list[]; 72 73 /* No syscall auditing will take place unless audit_enabled != 0. */ 74 extern int audit_enabled; 75 76 /* AUDIT_NAMES is the number of slots we reserve in the audit_context 77 * for saving names from getname(). */ 78 #define AUDIT_NAMES 20 79 80 /* AUDIT_NAMES_RESERVED is the number of slots we reserve in the 81 * audit_context from being used for nameless inodes from 82 * path_lookup. */ 83 #define AUDIT_NAMES_RESERVED 7 84 85 /* Indicates that audit should log the full pathname. */ 86 #define AUDIT_NAME_FULL -1 87 88 /* When fs/namei.c:getname() is called, we store the pointer in name and 89 * we don't let putname() free it (instead we free all of the saved 90 * pointers at syscall exit time). 91 * 92 * Further, in fs/namei.c:path_lookup() we store the inode and device. */ 93 struct audit_names { 94 const char *name; 95 int name_len; /* number of name's characters to log */ 96 unsigned name_put; /* call __putname() for this name */ 97 unsigned long ino; 98 dev_t dev; 99 umode_t mode; 100 uid_t uid; 101 gid_t gid; 102 dev_t rdev; 103 u32 osid; 104 }; 105 106 struct audit_aux_data { 107 struct audit_aux_data *next; 108 int type; 109 }; 110 111 #define AUDIT_AUX_IPCPERM 0 112 113 struct audit_aux_data_mq_open { 114 struct audit_aux_data d; 115 int oflag; 116 mode_t mode; 117 struct mq_attr attr; 118 }; 119 120 struct audit_aux_data_mq_sendrecv { 121 struct audit_aux_data d; 122 mqd_t mqdes; 123 size_t msg_len; 124 unsigned int msg_prio; 125 struct timespec abs_timeout; 126 }; 127 128 struct audit_aux_data_mq_notify { 129 struct audit_aux_data d; 130 mqd_t mqdes; 131 struct sigevent notification; 132 }; 133 134 struct audit_aux_data_mq_getsetattr { 135 struct audit_aux_data d; 136 mqd_t mqdes; 137 struct mq_attr mqstat; 138 }; 139 140 struct audit_aux_data_ipcctl { 141 struct audit_aux_data d; 142 struct ipc_perm p; 143 unsigned long qbytes; 144 uid_t uid; 145 gid_t gid; 146 mode_t mode; 147 u32 osid; 148 }; 149 150 struct audit_aux_data_execve { 151 struct audit_aux_data d; 152 int argc; 153 int envc; 154 char mem[0]; 155 }; 156 157 struct audit_aux_data_socketcall { 158 struct audit_aux_data d; 159 int nargs; 160 unsigned long args[0]; 161 }; 162 163 struct audit_aux_data_sockaddr { 164 struct audit_aux_data d; 165 int len; 166 char a[0]; 167 }; 168 169 struct audit_aux_data_path { 170 struct audit_aux_data d; 171 struct dentry *dentry; 172 struct vfsmount *mnt; 173 }; 174 175 /* The per-task audit context. */ 176 struct audit_context { 177 int in_syscall; /* 1 if task is in a syscall */ 178 enum audit_state state; 179 unsigned int serial; /* serial number for record */ 180 struct timespec ctime; /* time of syscall entry */ 181 uid_t loginuid; /* login uid (identity) */ 182 int major; /* syscall number */ 183 unsigned long argv[4]; /* syscall arguments */ 184 int return_valid; /* return code is valid */ 185 long return_code;/* syscall return code */ 186 int auditable; /* 1 if record should be written */ 187 int name_count; 188 struct audit_names names[AUDIT_NAMES]; 189 struct dentry * pwd; 190 struct vfsmount * pwdmnt; 191 struct audit_context *previous; /* For nested syscalls */ 192 struct audit_aux_data *aux; 193 194 /* Save things to print about task_struct */ 195 pid_t pid, ppid; 196 uid_t uid, euid, suid, fsuid; 197 gid_t gid, egid, sgid, fsgid; 198 unsigned long personality; 199 int arch; 200 201 #if AUDIT_DEBUG 202 int put_count; 203 int ino_count; 204 #endif 205 }; 206 207 /* Determine if any context name data matches a rule's watch data */ 208 /* Compare a task_struct with an audit_rule. Return 1 on match, 0 209 * otherwise. */ 210 static int audit_filter_rules(struct task_struct *tsk, 211 struct audit_krule *rule, 212 struct audit_context *ctx, 213 struct audit_names *name, 214 enum audit_state *state) 215 { 216 int i, j, need_sid = 1; 217 u32 sid; 218 219 for (i = 0; i < rule->field_count; i++) { 220 struct audit_field *f = &rule->fields[i]; 221 int result = 0; 222 223 switch (f->type) { 224 case AUDIT_PID: 225 result = audit_comparator(tsk->pid, f->op, f->val); 226 break; 227 case AUDIT_PPID: 228 if (ctx) 229 result = audit_comparator(ctx->ppid, f->op, f->val); 230 break; 231 case AUDIT_UID: 232 result = audit_comparator(tsk->uid, f->op, f->val); 233 break; 234 case AUDIT_EUID: 235 result = audit_comparator(tsk->euid, f->op, f->val); 236 break; 237 case AUDIT_SUID: 238 result = audit_comparator(tsk->suid, f->op, f->val); 239 break; 240 case AUDIT_FSUID: 241 result = audit_comparator(tsk->fsuid, f->op, f->val); 242 break; 243 case AUDIT_GID: 244 result = audit_comparator(tsk->gid, f->op, f->val); 245 break; 246 case AUDIT_EGID: 247 result = audit_comparator(tsk->egid, f->op, f->val); 248 break; 249 case AUDIT_SGID: 250 result = audit_comparator(tsk->sgid, f->op, f->val); 251 break; 252 case AUDIT_FSGID: 253 result = audit_comparator(tsk->fsgid, f->op, f->val); 254 break; 255 case AUDIT_PERS: 256 result = audit_comparator(tsk->personality, f->op, f->val); 257 break; 258 case AUDIT_ARCH: 259 if (ctx) 260 result = audit_comparator(ctx->arch, f->op, f->val); 261 break; 262 263 case AUDIT_EXIT: 264 if (ctx && ctx->return_valid) 265 result = audit_comparator(ctx->return_code, f->op, f->val); 266 break; 267 case AUDIT_SUCCESS: 268 if (ctx && ctx->return_valid) { 269 if (f->val) 270 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS); 271 else 272 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE); 273 } 274 break; 275 case AUDIT_DEVMAJOR: 276 if (name) 277 result = audit_comparator(MAJOR(name->dev), 278 f->op, f->val); 279 else if (ctx) { 280 for (j = 0; j < ctx->name_count; j++) { 281 if (audit_comparator(MAJOR(ctx->names[j].dev), f->op, f->val)) { 282 ++result; 283 break; 284 } 285 } 286 } 287 break; 288 case AUDIT_DEVMINOR: 289 if (name) 290 result = audit_comparator(MINOR(name->dev), 291 f->op, f->val); 292 else if (ctx) { 293 for (j = 0; j < ctx->name_count; j++) { 294 if (audit_comparator(MINOR(ctx->names[j].dev), f->op, f->val)) { 295 ++result; 296 break; 297 } 298 } 299 } 300 break; 301 case AUDIT_INODE: 302 if (name) 303 result = (name->ino == f->val); 304 else if (ctx) { 305 for (j = 0; j < ctx->name_count; j++) { 306 if (audit_comparator(ctx->names[j].ino, f->op, f->val)) { 307 ++result; 308 break; 309 } 310 } 311 } 312 break; 313 case AUDIT_WATCH: 314 if (name && rule->watch->ino != (unsigned long)-1) 315 result = (name->dev == rule->watch->dev && 316 name->ino == rule->watch->ino); 317 break; 318 case AUDIT_LOGINUID: 319 result = 0; 320 if (ctx) 321 result = audit_comparator(ctx->loginuid, f->op, f->val); 322 break; 323 case AUDIT_SE_USER: 324 case AUDIT_SE_ROLE: 325 case AUDIT_SE_TYPE: 326 case AUDIT_SE_SEN: 327 case AUDIT_SE_CLR: 328 /* NOTE: this may return negative values indicating 329 a temporary error. We simply treat this as a 330 match for now to avoid losing information that 331 may be wanted. An error message will also be 332 logged upon error */ 333 if (f->se_rule) { 334 if (need_sid) { 335 selinux_task_ctxid(tsk, &sid); 336 need_sid = 0; 337 } 338 result = selinux_audit_rule_match(sid, f->type, 339 f->op, 340 f->se_rule, 341 ctx); 342 } 343 break; 344 case AUDIT_ARG0: 345 case AUDIT_ARG1: 346 case AUDIT_ARG2: 347 case AUDIT_ARG3: 348 if (ctx) 349 result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val); 350 break; 351 } 352 353 if (!result) 354 return 0; 355 } 356 switch (rule->action) { 357 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 358 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 359 } 360 return 1; 361 } 362 363 /* At process creation time, we can determine if system-call auditing is 364 * completely disabled for this task. Since we only have the task 365 * structure at this point, we can only check uid and gid. 366 */ 367 static enum audit_state audit_filter_task(struct task_struct *tsk) 368 { 369 struct audit_entry *e; 370 enum audit_state state; 371 372 rcu_read_lock(); 373 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) { 374 if (audit_filter_rules(tsk, &e->rule, NULL, NULL, &state)) { 375 rcu_read_unlock(); 376 return state; 377 } 378 } 379 rcu_read_unlock(); 380 return AUDIT_BUILD_CONTEXT; 381 } 382 383 /* At syscall entry and exit time, this filter is called if the 384 * audit_state is not low enough that auditing cannot take place, but is 385 * also not high enough that we already know we have to write an audit 386 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT). 387 */ 388 static enum audit_state audit_filter_syscall(struct task_struct *tsk, 389 struct audit_context *ctx, 390 struct list_head *list) 391 { 392 struct audit_entry *e; 393 enum audit_state state; 394 395 if (audit_pid && tsk->tgid == audit_pid) 396 return AUDIT_DISABLED; 397 398 rcu_read_lock(); 399 if (!list_empty(list)) { 400 int word = AUDIT_WORD(ctx->major); 401 int bit = AUDIT_BIT(ctx->major); 402 403 list_for_each_entry_rcu(e, list, list) { 404 if ((e->rule.mask[word] & bit) == bit && 405 audit_filter_rules(tsk, &e->rule, ctx, NULL, 406 &state)) { 407 rcu_read_unlock(); 408 return state; 409 } 410 } 411 } 412 rcu_read_unlock(); 413 return AUDIT_BUILD_CONTEXT; 414 } 415 416 /* At syscall exit time, this filter is called if any audit_names[] have been 417 * collected during syscall processing. We only check rules in sublists at hash 418 * buckets applicable to the inode numbers in audit_names[]. 419 * Regarding audit_state, same rules apply as for audit_filter_syscall(). 420 */ 421 enum audit_state audit_filter_inodes(struct task_struct *tsk, 422 struct audit_context *ctx) 423 { 424 int i; 425 struct audit_entry *e; 426 enum audit_state state; 427 428 if (audit_pid && tsk->tgid == audit_pid) 429 return AUDIT_DISABLED; 430 431 rcu_read_lock(); 432 for (i = 0; i < ctx->name_count; i++) { 433 int word = AUDIT_WORD(ctx->major); 434 int bit = AUDIT_BIT(ctx->major); 435 struct audit_names *n = &ctx->names[i]; 436 int h = audit_hash_ino((u32)n->ino); 437 struct list_head *list = &audit_inode_hash[h]; 438 439 if (list_empty(list)) 440 continue; 441 442 list_for_each_entry_rcu(e, list, list) { 443 if ((e->rule.mask[word] & bit) == bit && 444 audit_filter_rules(tsk, &e->rule, ctx, n, &state)) { 445 rcu_read_unlock(); 446 return state; 447 } 448 } 449 } 450 rcu_read_unlock(); 451 return AUDIT_BUILD_CONTEXT; 452 } 453 454 void audit_set_auditable(struct audit_context *ctx) 455 { 456 ctx->auditable = 1; 457 } 458 459 static inline struct audit_context *audit_get_context(struct task_struct *tsk, 460 int return_valid, 461 int return_code) 462 { 463 struct audit_context *context = tsk->audit_context; 464 465 if (likely(!context)) 466 return NULL; 467 context->return_valid = return_valid; 468 context->return_code = return_code; 469 470 if (context->in_syscall && !context->auditable) { 471 enum audit_state state; 472 473 state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]); 474 if (state == AUDIT_RECORD_CONTEXT) { 475 context->auditable = 1; 476 goto get_context; 477 } 478 479 state = audit_filter_inodes(tsk, context); 480 if (state == AUDIT_RECORD_CONTEXT) 481 context->auditable = 1; 482 483 } 484 485 get_context: 486 context->pid = tsk->pid; 487 context->ppid = sys_getppid(); /* sic. tsk == current in all cases */ 488 context->uid = tsk->uid; 489 context->gid = tsk->gid; 490 context->euid = tsk->euid; 491 context->suid = tsk->suid; 492 context->fsuid = tsk->fsuid; 493 context->egid = tsk->egid; 494 context->sgid = tsk->sgid; 495 context->fsgid = tsk->fsgid; 496 context->personality = tsk->personality; 497 tsk->audit_context = NULL; 498 return context; 499 } 500 501 static inline void audit_free_names(struct audit_context *context) 502 { 503 int i; 504 505 #if AUDIT_DEBUG == 2 506 if (context->auditable 507 ||context->put_count + context->ino_count != context->name_count) { 508 printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d" 509 " name_count=%d put_count=%d" 510 " ino_count=%d [NOT freeing]\n", 511 __FILE__, __LINE__, 512 context->serial, context->major, context->in_syscall, 513 context->name_count, context->put_count, 514 context->ino_count); 515 for (i = 0; i < context->name_count; i++) { 516 printk(KERN_ERR "names[%d] = %p = %s\n", i, 517 context->names[i].name, 518 context->names[i].name ?: "(null)"); 519 } 520 dump_stack(); 521 return; 522 } 523 #endif 524 #if AUDIT_DEBUG 525 context->put_count = 0; 526 context->ino_count = 0; 527 #endif 528 529 for (i = 0; i < context->name_count; i++) { 530 if (context->names[i].name && context->names[i].name_put) 531 __putname(context->names[i].name); 532 } 533 context->name_count = 0; 534 if (context->pwd) 535 dput(context->pwd); 536 if (context->pwdmnt) 537 mntput(context->pwdmnt); 538 context->pwd = NULL; 539 context->pwdmnt = NULL; 540 } 541 542 static inline void audit_free_aux(struct audit_context *context) 543 { 544 struct audit_aux_data *aux; 545 546 while ((aux = context->aux)) { 547 if (aux->type == AUDIT_AVC_PATH) { 548 struct audit_aux_data_path *axi = (void *)aux; 549 dput(axi->dentry); 550 mntput(axi->mnt); 551 } 552 553 context->aux = aux->next; 554 kfree(aux); 555 } 556 } 557 558 static inline void audit_zero_context(struct audit_context *context, 559 enum audit_state state) 560 { 561 uid_t loginuid = context->loginuid; 562 563 memset(context, 0, sizeof(*context)); 564 context->state = state; 565 context->loginuid = loginuid; 566 } 567 568 static inline struct audit_context *audit_alloc_context(enum audit_state state) 569 { 570 struct audit_context *context; 571 572 if (!(context = kmalloc(sizeof(*context), GFP_KERNEL))) 573 return NULL; 574 audit_zero_context(context, state); 575 return context; 576 } 577 578 /** 579 * audit_alloc - allocate an audit context block for a task 580 * @tsk: task 581 * 582 * Filter on the task information and allocate a per-task audit context 583 * if necessary. Doing so turns on system call auditing for the 584 * specified task. This is called from copy_process, so no lock is 585 * needed. 586 */ 587 int audit_alloc(struct task_struct *tsk) 588 { 589 struct audit_context *context; 590 enum audit_state state; 591 592 if (likely(!audit_enabled)) 593 return 0; /* Return if not auditing. */ 594 595 state = audit_filter_task(tsk); 596 if (likely(state == AUDIT_DISABLED)) 597 return 0; 598 599 if (!(context = audit_alloc_context(state))) { 600 audit_log_lost("out of memory in audit_alloc"); 601 return -ENOMEM; 602 } 603 604 /* Preserve login uid */ 605 context->loginuid = -1; 606 if (current->audit_context) 607 context->loginuid = current->audit_context->loginuid; 608 609 tsk->audit_context = context; 610 set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT); 611 return 0; 612 } 613 614 static inline void audit_free_context(struct audit_context *context) 615 { 616 struct audit_context *previous; 617 int count = 0; 618 619 do { 620 previous = context->previous; 621 if (previous || (count && count < 10)) { 622 ++count; 623 printk(KERN_ERR "audit(:%d): major=%d name_count=%d:" 624 " freeing multiple contexts (%d)\n", 625 context->serial, context->major, 626 context->name_count, count); 627 } 628 audit_free_names(context); 629 audit_free_aux(context); 630 kfree(context); 631 context = previous; 632 } while (context); 633 if (count >= 10) 634 printk(KERN_ERR "audit: freed %d contexts\n", count); 635 } 636 637 static void audit_log_task_context(struct audit_buffer *ab) 638 { 639 char *ctx = NULL; 640 ssize_t len = 0; 641 642 len = security_getprocattr(current, "current", NULL, 0); 643 if (len < 0) { 644 if (len != -EINVAL) 645 goto error_path; 646 return; 647 } 648 649 ctx = kmalloc(len, GFP_KERNEL); 650 if (!ctx) 651 goto error_path; 652 653 len = security_getprocattr(current, "current", ctx, len); 654 if (len < 0 ) 655 goto error_path; 656 657 audit_log_format(ab, " subj=%s", ctx); 658 return; 659 660 error_path: 661 if (ctx) 662 kfree(ctx); 663 audit_panic("error in audit_log_task_context"); 664 return; 665 } 666 667 static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) 668 { 669 char name[sizeof(tsk->comm)]; 670 struct mm_struct *mm = tsk->mm; 671 struct vm_area_struct *vma; 672 673 /* tsk == current */ 674 675 get_task_comm(name, tsk); 676 audit_log_format(ab, " comm="); 677 audit_log_untrustedstring(ab, name); 678 679 if (mm) { 680 down_read(&mm->mmap_sem); 681 vma = mm->mmap; 682 while (vma) { 683 if ((vma->vm_flags & VM_EXECUTABLE) && 684 vma->vm_file) { 685 audit_log_d_path(ab, "exe=", 686 vma->vm_file->f_dentry, 687 vma->vm_file->f_vfsmnt); 688 break; 689 } 690 vma = vma->vm_next; 691 } 692 up_read(&mm->mmap_sem); 693 } 694 audit_log_task_context(ab); 695 } 696 697 static void audit_log_exit(struct audit_context *context, struct task_struct *tsk) 698 { 699 int i, call_panic = 0; 700 struct audit_buffer *ab; 701 struct audit_aux_data *aux; 702 const char *tty; 703 704 /* tsk == current */ 705 706 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL); 707 if (!ab) 708 return; /* audit_panic has been called */ 709 audit_log_format(ab, "arch=%x syscall=%d", 710 context->arch, context->major); 711 if (context->personality != PER_LINUX) 712 audit_log_format(ab, " per=%lx", context->personality); 713 if (context->return_valid) 714 audit_log_format(ab, " success=%s exit=%ld", 715 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no", 716 context->return_code); 717 if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name) 718 tty = tsk->signal->tty->name; 719 else 720 tty = "(none)"; 721 audit_log_format(ab, 722 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d" 723 " ppid=%d pid=%d auid=%u uid=%u gid=%u" 724 " euid=%u suid=%u fsuid=%u" 725 " egid=%u sgid=%u fsgid=%u tty=%s", 726 context->argv[0], 727 context->argv[1], 728 context->argv[2], 729 context->argv[3], 730 context->name_count, 731 context->ppid, 732 context->pid, 733 context->loginuid, 734 context->uid, 735 context->gid, 736 context->euid, context->suid, context->fsuid, 737 context->egid, context->sgid, context->fsgid, tty); 738 audit_log_task_info(ab, tsk); 739 audit_log_end(ab); 740 741 for (aux = context->aux; aux; aux = aux->next) { 742 743 ab = audit_log_start(context, GFP_KERNEL, aux->type); 744 if (!ab) 745 continue; /* audit_panic has been called */ 746 747 switch (aux->type) { 748 case AUDIT_MQ_OPEN: { 749 struct audit_aux_data_mq_open *axi = (void *)aux; 750 audit_log_format(ab, 751 "oflag=0x%x mode=%#o mq_flags=0x%lx mq_maxmsg=%ld " 752 "mq_msgsize=%ld mq_curmsgs=%ld", 753 axi->oflag, axi->mode, axi->attr.mq_flags, 754 axi->attr.mq_maxmsg, axi->attr.mq_msgsize, 755 axi->attr.mq_curmsgs); 756 break; } 757 758 case AUDIT_MQ_SENDRECV: { 759 struct audit_aux_data_mq_sendrecv *axi = (void *)aux; 760 audit_log_format(ab, 761 "mqdes=%d msg_len=%zd msg_prio=%u " 762 "abs_timeout_sec=%ld abs_timeout_nsec=%ld", 763 axi->mqdes, axi->msg_len, axi->msg_prio, 764 axi->abs_timeout.tv_sec, axi->abs_timeout.tv_nsec); 765 break; } 766 767 case AUDIT_MQ_NOTIFY: { 768 struct audit_aux_data_mq_notify *axi = (void *)aux; 769 audit_log_format(ab, 770 "mqdes=%d sigev_signo=%d", 771 axi->mqdes, 772 axi->notification.sigev_signo); 773 break; } 774 775 case AUDIT_MQ_GETSETATTR: { 776 struct audit_aux_data_mq_getsetattr *axi = (void *)aux; 777 audit_log_format(ab, 778 "mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld " 779 "mq_curmsgs=%ld ", 780 axi->mqdes, 781 axi->mqstat.mq_flags, axi->mqstat.mq_maxmsg, 782 axi->mqstat.mq_msgsize, axi->mqstat.mq_curmsgs); 783 break; } 784 785 case AUDIT_IPC: { 786 struct audit_aux_data_ipcctl *axi = (void *)aux; 787 audit_log_format(ab, 788 "ouid=%u ogid=%u mode=%x", 789 axi->uid, axi->gid, axi->mode); 790 if (axi->osid != 0) { 791 char *ctx = NULL; 792 u32 len; 793 if (selinux_ctxid_to_string( 794 axi->osid, &ctx, &len)) { 795 audit_log_format(ab, " osid=%u", 796 axi->osid); 797 call_panic = 1; 798 } else 799 audit_log_format(ab, " obj=%s", ctx); 800 kfree(ctx); 801 } 802 break; } 803 804 case AUDIT_IPC_SET_PERM: { 805 struct audit_aux_data_ipcctl *axi = (void *)aux; 806 audit_log_format(ab, 807 "qbytes=%lx ouid=%u ogid=%u mode=%x", 808 axi->qbytes, axi->uid, axi->gid, axi->mode); 809 break; } 810 811 case AUDIT_EXECVE: { 812 struct audit_aux_data_execve *axi = (void *)aux; 813 int i; 814 const char *p; 815 for (i = 0, p = axi->mem; i < axi->argc; i++) { 816 audit_log_format(ab, "a%d=", i); 817 p = audit_log_untrustedstring(ab, p); 818 audit_log_format(ab, "\n"); 819 } 820 break; } 821 822 case AUDIT_SOCKETCALL: { 823 int i; 824 struct audit_aux_data_socketcall *axs = (void *)aux; 825 audit_log_format(ab, "nargs=%d", axs->nargs); 826 for (i=0; i<axs->nargs; i++) 827 audit_log_format(ab, " a%d=%lx", i, axs->args[i]); 828 break; } 829 830 case AUDIT_SOCKADDR: { 831 struct audit_aux_data_sockaddr *axs = (void *)aux; 832 833 audit_log_format(ab, "saddr="); 834 audit_log_hex(ab, axs->a, axs->len); 835 break; } 836 837 case AUDIT_AVC_PATH: { 838 struct audit_aux_data_path *axi = (void *)aux; 839 audit_log_d_path(ab, "path=", axi->dentry, axi->mnt); 840 break; } 841 842 } 843 audit_log_end(ab); 844 } 845 846 if (context->pwd && context->pwdmnt) { 847 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD); 848 if (ab) { 849 audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt); 850 audit_log_end(ab); 851 } 852 } 853 for (i = 0; i < context->name_count; i++) { 854 struct audit_names *n = &context->names[i]; 855 856 ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH); 857 if (!ab) 858 continue; /* audit_panic has been called */ 859 860 audit_log_format(ab, "item=%d", i); 861 862 if (n->name) { 863 switch(n->name_len) { 864 case AUDIT_NAME_FULL: 865 /* log the full path */ 866 audit_log_format(ab, " name="); 867 audit_log_untrustedstring(ab, n->name); 868 break; 869 case 0: 870 /* name was specified as a relative path and the 871 * directory component is the cwd */ 872 audit_log_d_path(ab, " name=", context->pwd, 873 context->pwdmnt); 874 break; 875 default: 876 /* log the name's directory component */ 877 audit_log_format(ab, " name="); 878 audit_log_n_untrustedstring(ab, n->name_len, 879 n->name); 880 } 881 } else 882 audit_log_format(ab, " name=(null)"); 883 884 if (n->ino != (unsigned long)-1) { 885 audit_log_format(ab, " inode=%lu" 886 " dev=%02x:%02x mode=%#o" 887 " ouid=%u ogid=%u rdev=%02x:%02x", 888 n->ino, 889 MAJOR(n->dev), 890 MINOR(n->dev), 891 n->mode, 892 n->uid, 893 n->gid, 894 MAJOR(n->rdev), 895 MINOR(n->rdev)); 896 } 897 if (n->osid != 0) { 898 char *ctx = NULL; 899 u32 len; 900 if (selinux_ctxid_to_string( 901 n->osid, &ctx, &len)) { 902 audit_log_format(ab, " osid=%u", n->osid); 903 call_panic = 2; 904 } else 905 audit_log_format(ab, " obj=%s", ctx); 906 kfree(ctx); 907 } 908 909 audit_log_end(ab); 910 } 911 if (call_panic) 912 audit_panic("error converting sid to string"); 913 } 914 915 /** 916 * audit_free - free a per-task audit context 917 * @tsk: task whose audit context block to free 918 * 919 * Called from copy_process and do_exit 920 */ 921 void audit_free(struct task_struct *tsk) 922 { 923 struct audit_context *context; 924 925 context = audit_get_context(tsk, 0, 0); 926 if (likely(!context)) 927 return; 928 929 /* Check for system calls that do not go through the exit 930 * function (e.g., exit_group), then free context block. 931 * We use GFP_ATOMIC here because we might be doing this 932 * in the context of the idle thread */ 933 /* that can happen only if we are called from do_exit() */ 934 if (context->in_syscall && context->auditable) 935 audit_log_exit(context, tsk); 936 937 audit_free_context(context); 938 } 939 940 /** 941 * audit_syscall_entry - fill in an audit record at syscall entry 942 * @tsk: task being audited 943 * @arch: architecture type 944 * @major: major syscall type (function) 945 * @a1: additional syscall register 1 946 * @a2: additional syscall register 2 947 * @a3: additional syscall register 3 948 * @a4: additional syscall register 4 949 * 950 * Fill in audit context at syscall entry. This only happens if the 951 * audit context was created when the task was created and the state or 952 * filters demand the audit context be built. If the state from the 953 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT, 954 * then the record will be written at syscall exit time (otherwise, it 955 * will only be written if another part of the kernel requests that it 956 * be written). 957 */ 958 void audit_syscall_entry(int arch, int major, 959 unsigned long a1, unsigned long a2, 960 unsigned long a3, unsigned long a4) 961 { 962 struct task_struct *tsk = current; 963 struct audit_context *context = tsk->audit_context; 964 enum audit_state state; 965 966 BUG_ON(!context); 967 968 /* 969 * This happens only on certain architectures that make system 970 * calls in kernel_thread via the entry.S interface, instead of 971 * with direct calls. (If you are porting to a new 972 * architecture, hitting this condition can indicate that you 973 * got the _exit/_leave calls backward in entry.S.) 974 * 975 * i386 no 976 * x86_64 no 977 * ppc64 yes (see arch/powerpc/platforms/iseries/misc.S) 978 * 979 * This also happens with vm86 emulation in a non-nested manner 980 * (entries without exits), so this case must be caught. 981 */ 982 if (context->in_syscall) { 983 struct audit_context *newctx; 984 985 #if AUDIT_DEBUG 986 printk(KERN_ERR 987 "audit(:%d) pid=%d in syscall=%d;" 988 " entering syscall=%d\n", 989 context->serial, tsk->pid, context->major, major); 990 #endif 991 newctx = audit_alloc_context(context->state); 992 if (newctx) { 993 newctx->previous = context; 994 context = newctx; 995 tsk->audit_context = newctx; 996 } else { 997 /* If we can't alloc a new context, the best we 998 * can do is to leak memory (any pending putname 999 * will be lost). The only other alternative is 1000 * to abandon auditing. */ 1001 audit_zero_context(context, context->state); 1002 } 1003 } 1004 BUG_ON(context->in_syscall || context->name_count); 1005 1006 if (!audit_enabled) 1007 return; 1008 1009 context->arch = arch; 1010 context->major = major; 1011 context->argv[0] = a1; 1012 context->argv[1] = a2; 1013 context->argv[2] = a3; 1014 context->argv[3] = a4; 1015 1016 state = context->state; 1017 if (state == AUDIT_SETUP_CONTEXT || state == AUDIT_BUILD_CONTEXT) 1018 state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]); 1019 if (likely(state == AUDIT_DISABLED)) 1020 return; 1021 1022 context->serial = 0; 1023 context->ctime = CURRENT_TIME; 1024 context->in_syscall = 1; 1025 context->auditable = !!(state == AUDIT_RECORD_CONTEXT); 1026 } 1027 1028 /** 1029 * audit_syscall_exit - deallocate audit context after a system call 1030 * @tsk: task being audited 1031 * @valid: success/failure flag 1032 * @return_code: syscall return value 1033 * 1034 * Tear down after system call. If the audit context has been marked as 1035 * auditable (either because of the AUDIT_RECORD_CONTEXT state from 1036 * filtering, or because some other part of the kernel write an audit 1037 * message), then write out the syscall information. In call cases, 1038 * free the names stored from getname(). 1039 */ 1040 void audit_syscall_exit(int valid, long return_code) 1041 { 1042 struct task_struct *tsk = current; 1043 struct audit_context *context; 1044 1045 context = audit_get_context(tsk, valid, return_code); 1046 1047 if (likely(!context)) 1048 return; 1049 1050 if (context->in_syscall && context->auditable) 1051 audit_log_exit(context, tsk); 1052 1053 context->in_syscall = 0; 1054 context->auditable = 0; 1055 1056 if (context->previous) { 1057 struct audit_context *new_context = context->previous; 1058 context->previous = NULL; 1059 audit_free_context(context); 1060 tsk->audit_context = new_context; 1061 } else { 1062 audit_free_names(context); 1063 audit_free_aux(context); 1064 tsk->audit_context = context; 1065 } 1066 } 1067 1068 /** 1069 * audit_getname - add a name to the list 1070 * @name: name to add 1071 * 1072 * Add a name to the list of audit names for this context. 1073 * Called from fs/namei.c:getname(). 1074 */ 1075 void __audit_getname(const char *name) 1076 { 1077 struct audit_context *context = current->audit_context; 1078 1079 if (IS_ERR(name) || !name) 1080 return; 1081 1082 if (!context->in_syscall) { 1083 #if AUDIT_DEBUG == 2 1084 printk(KERN_ERR "%s:%d(:%d): ignoring getname(%p)\n", 1085 __FILE__, __LINE__, context->serial, name); 1086 dump_stack(); 1087 #endif 1088 return; 1089 } 1090 BUG_ON(context->name_count >= AUDIT_NAMES); 1091 context->names[context->name_count].name = name; 1092 context->names[context->name_count].name_len = AUDIT_NAME_FULL; 1093 context->names[context->name_count].name_put = 1; 1094 context->names[context->name_count].ino = (unsigned long)-1; 1095 ++context->name_count; 1096 if (!context->pwd) { 1097 read_lock(¤t->fs->lock); 1098 context->pwd = dget(current->fs->pwd); 1099 context->pwdmnt = mntget(current->fs->pwdmnt); 1100 read_unlock(¤t->fs->lock); 1101 } 1102 1103 } 1104 1105 /* audit_putname - intercept a putname request 1106 * @name: name to intercept and delay for putname 1107 * 1108 * If we have stored the name from getname in the audit context, 1109 * then we delay the putname until syscall exit. 1110 * Called from include/linux/fs.h:putname(). 1111 */ 1112 void audit_putname(const char *name) 1113 { 1114 struct audit_context *context = current->audit_context; 1115 1116 BUG_ON(!context); 1117 if (!context->in_syscall) { 1118 #if AUDIT_DEBUG == 2 1119 printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n", 1120 __FILE__, __LINE__, context->serial, name); 1121 if (context->name_count) { 1122 int i; 1123 for (i = 0; i < context->name_count; i++) 1124 printk(KERN_ERR "name[%d] = %p = %s\n", i, 1125 context->names[i].name, 1126 context->names[i].name ?: "(null)"); 1127 } 1128 #endif 1129 __putname(name); 1130 } 1131 #if AUDIT_DEBUG 1132 else { 1133 ++context->put_count; 1134 if (context->put_count > context->name_count) { 1135 printk(KERN_ERR "%s:%d(:%d): major=%d" 1136 " in_syscall=%d putname(%p) name_count=%d" 1137 " put_count=%d\n", 1138 __FILE__, __LINE__, 1139 context->serial, context->major, 1140 context->in_syscall, name, context->name_count, 1141 context->put_count); 1142 dump_stack(); 1143 } 1144 } 1145 #endif 1146 } 1147 1148 static void audit_inode_context(int idx, const struct inode *inode) 1149 { 1150 struct audit_context *context = current->audit_context; 1151 1152 selinux_get_inode_sid(inode, &context->names[idx].osid); 1153 } 1154 1155 1156 /** 1157 * audit_inode - store the inode and device from a lookup 1158 * @name: name being audited 1159 * @inode: inode being audited 1160 * 1161 * Called from fs/namei.c:path_lookup(). 1162 */ 1163 void __audit_inode(const char *name, const struct inode *inode) 1164 { 1165 int idx; 1166 struct audit_context *context = current->audit_context; 1167 1168 if (!context->in_syscall) 1169 return; 1170 if (context->name_count 1171 && context->names[context->name_count-1].name 1172 && context->names[context->name_count-1].name == name) 1173 idx = context->name_count - 1; 1174 else if (context->name_count > 1 1175 && context->names[context->name_count-2].name 1176 && context->names[context->name_count-2].name == name) 1177 idx = context->name_count - 2; 1178 else { 1179 /* FIXME: how much do we care about inodes that have no 1180 * associated name? */ 1181 if (context->name_count >= AUDIT_NAMES - AUDIT_NAMES_RESERVED) 1182 return; 1183 idx = context->name_count++; 1184 context->names[idx].name = NULL; 1185 #if AUDIT_DEBUG 1186 ++context->ino_count; 1187 #endif 1188 } 1189 context->names[idx].ino = inode->i_ino; 1190 context->names[idx].dev = inode->i_sb->s_dev; 1191 context->names[idx].mode = inode->i_mode; 1192 context->names[idx].uid = inode->i_uid; 1193 context->names[idx].gid = inode->i_gid; 1194 context->names[idx].rdev = inode->i_rdev; 1195 audit_inode_context(idx, inode); 1196 } 1197 1198 /** 1199 * audit_inode_child - collect inode info for created/removed objects 1200 * @dname: inode's dentry name 1201 * @inode: inode being audited 1202 * @pino: inode number of dentry parent 1203 * 1204 * For syscalls that create or remove filesystem objects, audit_inode 1205 * can only collect information for the filesystem object's parent. 1206 * This call updates the audit context with the child's information. 1207 * Syscalls that create a new filesystem object must be hooked after 1208 * the object is created. Syscalls that remove a filesystem object 1209 * must be hooked prior, in order to capture the target inode during 1210 * unsuccessful attempts. 1211 */ 1212 void __audit_inode_child(const char *dname, const struct inode *inode, 1213 unsigned long pino) 1214 { 1215 int idx; 1216 struct audit_context *context = current->audit_context; 1217 const char *found_name = NULL; 1218 int dirlen = 0; 1219 1220 if (!context->in_syscall) 1221 return; 1222 1223 /* determine matching parent */ 1224 if (!dname) 1225 goto update_context; 1226 for (idx = 0; idx < context->name_count; idx++) 1227 if (context->names[idx].ino == pino) { 1228 const char *name = context->names[idx].name; 1229 1230 if (!name) 1231 continue; 1232 1233 if (audit_compare_dname_path(dname, name, &dirlen) == 0) { 1234 context->names[idx].name_len = dirlen; 1235 found_name = name; 1236 break; 1237 } 1238 } 1239 1240 update_context: 1241 idx = context->name_count++; 1242 #if AUDIT_DEBUG 1243 context->ino_count++; 1244 #endif 1245 /* Re-use the name belonging to the slot for a matching parent directory. 1246 * All names for this context are relinquished in audit_free_names() */ 1247 context->names[idx].name = found_name; 1248 context->names[idx].name_len = AUDIT_NAME_FULL; 1249 context->names[idx].name_put = 0; /* don't call __putname() */ 1250 1251 if (inode) { 1252 context->names[idx].ino = inode->i_ino; 1253 context->names[idx].dev = inode->i_sb->s_dev; 1254 context->names[idx].mode = inode->i_mode; 1255 context->names[idx].uid = inode->i_uid; 1256 context->names[idx].gid = inode->i_gid; 1257 context->names[idx].rdev = inode->i_rdev; 1258 audit_inode_context(idx, inode); 1259 } else 1260 context->names[idx].ino = (unsigned long)-1; 1261 } 1262 1263 /** 1264 * auditsc_get_stamp - get local copies of audit_context values 1265 * @ctx: audit_context for the task 1266 * @t: timespec to store time recorded in the audit_context 1267 * @serial: serial value that is recorded in the audit_context 1268 * 1269 * Also sets the context as auditable. 1270 */ 1271 void auditsc_get_stamp(struct audit_context *ctx, 1272 struct timespec *t, unsigned int *serial) 1273 { 1274 if (!ctx->serial) 1275 ctx->serial = audit_serial(); 1276 t->tv_sec = ctx->ctime.tv_sec; 1277 t->tv_nsec = ctx->ctime.tv_nsec; 1278 *serial = ctx->serial; 1279 ctx->auditable = 1; 1280 } 1281 1282 /** 1283 * audit_set_loginuid - set a task's audit_context loginuid 1284 * @task: task whose audit context is being modified 1285 * @loginuid: loginuid value 1286 * 1287 * Returns 0. 1288 * 1289 * Called (set) from fs/proc/base.c::proc_loginuid_write(). 1290 */ 1291 int audit_set_loginuid(struct task_struct *task, uid_t loginuid) 1292 { 1293 struct audit_context *context = task->audit_context; 1294 1295 if (context) { 1296 /* Only log if audit is enabled */ 1297 if (context->in_syscall) { 1298 struct audit_buffer *ab; 1299 1300 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN); 1301 if (ab) { 1302 audit_log_format(ab, "login pid=%d uid=%u " 1303 "old auid=%u new auid=%u", 1304 task->pid, task->uid, 1305 context->loginuid, loginuid); 1306 audit_log_end(ab); 1307 } 1308 } 1309 context->loginuid = loginuid; 1310 } 1311 return 0; 1312 } 1313 1314 /** 1315 * audit_get_loginuid - get the loginuid for an audit_context 1316 * @ctx: the audit_context 1317 * 1318 * Returns the context's loginuid or -1 if @ctx is NULL. 1319 */ 1320 uid_t audit_get_loginuid(struct audit_context *ctx) 1321 { 1322 return ctx ? ctx->loginuid : -1; 1323 } 1324 1325 /** 1326 * __audit_mq_open - record audit data for a POSIX MQ open 1327 * @oflag: open flag 1328 * @mode: mode bits 1329 * @u_attr: queue attributes 1330 * 1331 * Returns 0 for success or NULL context or < 0 on error. 1332 */ 1333 int __audit_mq_open(int oflag, mode_t mode, struct mq_attr __user *u_attr) 1334 { 1335 struct audit_aux_data_mq_open *ax; 1336 struct audit_context *context = current->audit_context; 1337 1338 if (!audit_enabled) 1339 return 0; 1340 1341 if (likely(!context)) 1342 return 0; 1343 1344 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1345 if (!ax) 1346 return -ENOMEM; 1347 1348 if (u_attr != NULL) { 1349 if (copy_from_user(&ax->attr, u_attr, sizeof(ax->attr))) { 1350 kfree(ax); 1351 return -EFAULT; 1352 } 1353 } else 1354 memset(&ax->attr, 0, sizeof(ax->attr)); 1355 1356 ax->oflag = oflag; 1357 ax->mode = mode; 1358 1359 ax->d.type = AUDIT_MQ_OPEN; 1360 ax->d.next = context->aux; 1361 context->aux = (void *)ax; 1362 return 0; 1363 } 1364 1365 /** 1366 * __audit_mq_timedsend - record audit data for a POSIX MQ timed send 1367 * @mqdes: MQ descriptor 1368 * @msg_len: Message length 1369 * @msg_prio: Message priority 1370 * @abs_timeout: Message timeout in absolute time 1371 * 1372 * Returns 0 for success or NULL context or < 0 on error. 1373 */ 1374 int __audit_mq_timedsend(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, 1375 const struct timespec __user *u_abs_timeout) 1376 { 1377 struct audit_aux_data_mq_sendrecv *ax; 1378 struct audit_context *context = current->audit_context; 1379 1380 if (!audit_enabled) 1381 return 0; 1382 1383 if (likely(!context)) 1384 return 0; 1385 1386 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1387 if (!ax) 1388 return -ENOMEM; 1389 1390 if (u_abs_timeout != NULL) { 1391 if (copy_from_user(&ax->abs_timeout, u_abs_timeout, sizeof(ax->abs_timeout))) { 1392 kfree(ax); 1393 return -EFAULT; 1394 } 1395 } else 1396 memset(&ax->abs_timeout, 0, sizeof(ax->abs_timeout)); 1397 1398 ax->mqdes = mqdes; 1399 ax->msg_len = msg_len; 1400 ax->msg_prio = msg_prio; 1401 1402 ax->d.type = AUDIT_MQ_SENDRECV; 1403 ax->d.next = context->aux; 1404 context->aux = (void *)ax; 1405 return 0; 1406 } 1407 1408 /** 1409 * __audit_mq_timedreceive - record audit data for a POSIX MQ timed receive 1410 * @mqdes: MQ descriptor 1411 * @msg_len: Message length 1412 * @msg_prio: Message priority 1413 * @abs_timeout: Message timeout in absolute time 1414 * 1415 * Returns 0 for success or NULL context or < 0 on error. 1416 */ 1417 int __audit_mq_timedreceive(mqd_t mqdes, size_t msg_len, 1418 unsigned int __user *u_msg_prio, 1419 const struct timespec __user *u_abs_timeout) 1420 { 1421 struct audit_aux_data_mq_sendrecv *ax; 1422 struct audit_context *context = current->audit_context; 1423 1424 if (!audit_enabled) 1425 return 0; 1426 1427 if (likely(!context)) 1428 return 0; 1429 1430 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1431 if (!ax) 1432 return -ENOMEM; 1433 1434 if (u_msg_prio != NULL) { 1435 if (get_user(ax->msg_prio, u_msg_prio)) { 1436 kfree(ax); 1437 return -EFAULT; 1438 } 1439 } else 1440 ax->msg_prio = 0; 1441 1442 if (u_abs_timeout != NULL) { 1443 if (copy_from_user(&ax->abs_timeout, u_abs_timeout, sizeof(ax->abs_timeout))) { 1444 kfree(ax); 1445 return -EFAULT; 1446 } 1447 } else 1448 memset(&ax->abs_timeout, 0, sizeof(ax->abs_timeout)); 1449 1450 ax->mqdes = mqdes; 1451 ax->msg_len = msg_len; 1452 1453 ax->d.type = AUDIT_MQ_SENDRECV; 1454 ax->d.next = context->aux; 1455 context->aux = (void *)ax; 1456 return 0; 1457 } 1458 1459 /** 1460 * __audit_mq_notify - record audit data for a POSIX MQ notify 1461 * @mqdes: MQ descriptor 1462 * @u_notification: Notification event 1463 * 1464 * Returns 0 for success or NULL context or < 0 on error. 1465 */ 1466 1467 int __audit_mq_notify(mqd_t mqdes, const struct sigevent __user *u_notification) 1468 { 1469 struct audit_aux_data_mq_notify *ax; 1470 struct audit_context *context = current->audit_context; 1471 1472 if (!audit_enabled) 1473 return 0; 1474 1475 if (likely(!context)) 1476 return 0; 1477 1478 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1479 if (!ax) 1480 return -ENOMEM; 1481 1482 if (u_notification != NULL) { 1483 if (copy_from_user(&ax->notification, u_notification, sizeof(ax->notification))) { 1484 kfree(ax); 1485 return -EFAULT; 1486 } 1487 } else 1488 memset(&ax->notification, 0, sizeof(ax->notification)); 1489 1490 ax->mqdes = mqdes; 1491 1492 ax->d.type = AUDIT_MQ_NOTIFY; 1493 ax->d.next = context->aux; 1494 context->aux = (void *)ax; 1495 return 0; 1496 } 1497 1498 /** 1499 * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute 1500 * @mqdes: MQ descriptor 1501 * @mqstat: MQ flags 1502 * 1503 * Returns 0 for success or NULL context or < 0 on error. 1504 */ 1505 int __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 1506 { 1507 struct audit_aux_data_mq_getsetattr *ax; 1508 struct audit_context *context = current->audit_context; 1509 1510 if (!audit_enabled) 1511 return 0; 1512 1513 if (likely(!context)) 1514 return 0; 1515 1516 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1517 if (!ax) 1518 return -ENOMEM; 1519 1520 ax->mqdes = mqdes; 1521 ax->mqstat = *mqstat; 1522 1523 ax->d.type = AUDIT_MQ_GETSETATTR; 1524 ax->d.next = context->aux; 1525 context->aux = (void *)ax; 1526 return 0; 1527 } 1528 1529 /** 1530 * audit_ipc_obj - record audit data for ipc object 1531 * @ipcp: ipc permissions 1532 * 1533 * Returns 0 for success or NULL context or < 0 on error. 1534 */ 1535 int __audit_ipc_obj(struct kern_ipc_perm *ipcp) 1536 { 1537 struct audit_aux_data_ipcctl *ax; 1538 struct audit_context *context = current->audit_context; 1539 1540 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1541 if (!ax) 1542 return -ENOMEM; 1543 1544 ax->uid = ipcp->uid; 1545 ax->gid = ipcp->gid; 1546 ax->mode = ipcp->mode; 1547 selinux_get_ipc_sid(ipcp, &ax->osid); 1548 1549 ax->d.type = AUDIT_IPC; 1550 ax->d.next = context->aux; 1551 context->aux = (void *)ax; 1552 return 0; 1553 } 1554 1555 /** 1556 * audit_ipc_set_perm - record audit data for new ipc permissions 1557 * @qbytes: msgq bytes 1558 * @uid: msgq user id 1559 * @gid: msgq group id 1560 * @mode: msgq mode (permissions) 1561 * 1562 * Returns 0 for success or NULL context or < 0 on error. 1563 */ 1564 int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode) 1565 { 1566 struct audit_aux_data_ipcctl *ax; 1567 struct audit_context *context = current->audit_context; 1568 1569 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1570 if (!ax) 1571 return -ENOMEM; 1572 1573 ax->qbytes = qbytes; 1574 ax->uid = uid; 1575 ax->gid = gid; 1576 ax->mode = mode; 1577 1578 ax->d.type = AUDIT_IPC_SET_PERM; 1579 ax->d.next = context->aux; 1580 context->aux = (void *)ax; 1581 return 0; 1582 } 1583 1584 int audit_bprm(struct linux_binprm *bprm) 1585 { 1586 struct audit_aux_data_execve *ax; 1587 struct audit_context *context = current->audit_context; 1588 unsigned long p, next; 1589 void *to; 1590 1591 if (likely(!audit_enabled || !context)) 1592 return 0; 1593 1594 ax = kmalloc(sizeof(*ax) + PAGE_SIZE * MAX_ARG_PAGES - bprm->p, 1595 GFP_KERNEL); 1596 if (!ax) 1597 return -ENOMEM; 1598 1599 ax->argc = bprm->argc; 1600 ax->envc = bprm->envc; 1601 for (p = bprm->p, to = ax->mem; p < MAX_ARG_PAGES*PAGE_SIZE; p = next) { 1602 struct page *page = bprm->page[p / PAGE_SIZE]; 1603 void *kaddr = kmap(page); 1604 next = (p + PAGE_SIZE) & ~(PAGE_SIZE - 1); 1605 memcpy(to, kaddr + (p & (PAGE_SIZE - 1)), next - p); 1606 to += next - p; 1607 kunmap(page); 1608 } 1609 1610 ax->d.type = AUDIT_EXECVE; 1611 ax->d.next = context->aux; 1612 context->aux = (void *)ax; 1613 return 0; 1614 } 1615 1616 1617 /** 1618 * audit_socketcall - record audit data for sys_socketcall 1619 * @nargs: number of args 1620 * @args: args array 1621 * 1622 * Returns 0 for success or NULL context or < 0 on error. 1623 */ 1624 int audit_socketcall(int nargs, unsigned long *args) 1625 { 1626 struct audit_aux_data_socketcall *ax; 1627 struct audit_context *context = current->audit_context; 1628 1629 if (likely(!context)) 1630 return 0; 1631 1632 ax = kmalloc(sizeof(*ax) + nargs * sizeof(unsigned long), GFP_KERNEL); 1633 if (!ax) 1634 return -ENOMEM; 1635 1636 ax->nargs = nargs; 1637 memcpy(ax->args, args, nargs * sizeof(unsigned long)); 1638 1639 ax->d.type = AUDIT_SOCKETCALL; 1640 ax->d.next = context->aux; 1641 context->aux = (void *)ax; 1642 return 0; 1643 } 1644 1645 /** 1646 * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto 1647 * @len: data length in user space 1648 * @a: data address in kernel space 1649 * 1650 * Returns 0 for success or NULL context or < 0 on error. 1651 */ 1652 int audit_sockaddr(int len, void *a) 1653 { 1654 struct audit_aux_data_sockaddr *ax; 1655 struct audit_context *context = current->audit_context; 1656 1657 if (likely(!context)) 1658 return 0; 1659 1660 ax = kmalloc(sizeof(*ax) + len, GFP_KERNEL); 1661 if (!ax) 1662 return -ENOMEM; 1663 1664 ax->len = len; 1665 memcpy(ax->a, a, len); 1666 1667 ax->d.type = AUDIT_SOCKADDR; 1668 ax->d.next = context->aux; 1669 context->aux = (void *)ax; 1670 return 0; 1671 } 1672 1673 /** 1674 * audit_avc_path - record the granting or denial of permissions 1675 * @dentry: dentry to record 1676 * @mnt: mnt to record 1677 * 1678 * Returns 0 for success or NULL context or < 0 on error. 1679 * 1680 * Called from security/selinux/avc.c::avc_audit() 1681 */ 1682 int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt) 1683 { 1684 struct audit_aux_data_path *ax; 1685 struct audit_context *context = current->audit_context; 1686 1687 if (likely(!context)) 1688 return 0; 1689 1690 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1691 if (!ax) 1692 return -ENOMEM; 1693 1694 ax->dentry = dget(dentry); 1695 ax->mnt = mntget(mnt); 1696 1697 ax->d.type = AUDIT_AVC_PATH; 1698 ax->d.next = context->aux; 1699 context->aux = (void *)ax; 1700 return 0; 1701 } 1702 1703 /** 1704 * audit_signal_info - record signal info for shutting down audit subsystem 1705 * @sig: signal value 1706 * @t: task being signaled 1707 * 1708 * If the audit subsystem is being terminated, record the task (pid) 1709 * and uid that is doing that. 1710 */ 1711 void __audit_signal_info(int sig, struct task_struct *t) 1712 { 1713 extern pid_t audit_sig_pid; 1714 extern uid_t audit_sig_uid; 1715 extern u32 audit_sig_sid; 1716 1717 if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1) { 1718 struct task_struct *tsk = current; 1719 struct audit_context *ctx = tsk->audit_context; 1720 audit_sig_pid = tsk->pid; 1721 if (ctx) 1722 audit_sig_uid = ctx->loginuid; 1723 else 1724 audit_sig_uid = tsk->uid; 1725 selinux_get_task_sid(tsk, &audit_sig_sid); 1726 } 1727 } 1728